-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlogmx.html
37 lines (35 loc) · 2.81 KB
/
logmx.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<h1>The GUP generic update process in LogMX before 7.4.0 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update. </h1>
<p>The update check is performed over plaintext HTTP and a HTTP GET request is send:
<a href="http://logmx.com/check_update.php?ver=v7.0.0&java=1.8.0_172&arch=amd64&os=win">http://logmx.com/check_update.php?ver=v7.0.0&java=1.8.0_172&arch=amd64&os=win</a>
</p>
<p>
The response is a message that contains the latest version-number of the latest release and a change-log.<br />If a newer version is available, then a second HTTP GET request is performed:
<a href="http://logmx.com/download_file.php?id=4&from=app">http://logmx.com/download_file.php?id=4&from=app</a>
</p>
<p>
This second request will fetch the new file over an unsecured channel.<br />Then the user is prompted with the change-log and the question if he wants to install this new update.<br />
The update downloaded is a tgz file that contains the whole folder structure and that can be backdoor-ed since the download is performed over plaintext HTTP and there is no integrity and/or authenticity verification mechanism in place. Furthermore, under advanced options, the option to check for updates each week is activated by default.
</p>
<p>
The tar file needs to be decompressed:<br />
tar -xzf LogMX_v7.3.0.tgz<br />
This will create a folder named LogMX_v7.3.0_eval that contains all files and folders related to the application.<br />
<br />
The subfolder jar contains only one file logmx.jar. A jar-file is actually a zip file and when renamed to zip this file can be extracted. We can replace the LogMXUpdater.class with a malicious one since this file will be executed during the update.
<br />
To do so, you can use the attached file 'LogMXUpdater.java', of course you must change the LHOST and LPORT to match yours.<br />
<br />
And compile this file to obtain a LogMXUpdater.class file:<br />
javac LogMXUpdater.java<br />
<br />
Replace the original LogMXUpdater.class file from the extracted jar file with our freshly compiled on and re-zip the files back into a logmx.zip file. Rename this file back to logmx.jar.<br />
<br />
Recreate the tar file:<br />
tar -czf LogMX_update_v7.3.0.tgz LogMX_v7.1.0_eval/<br />
<br />
Ideally the malicious update should be delivered via a MITM-position such as ARP-poisoning or by a proxy. To simulate the behavior it is possible to replace the downloaded file on the machine before clicking on the Update LogMX-button. The downloaded tar-file is located at %APPDATA%\..\Local\Temp\LogMX_Update and this file can be replaced to easily simulate the tampering with the file download.
</p>
<p>
<a href="LogMXUpdater.java">LogMXUpdater.java</a><br />
<a href="PoC_LogMX_Backdoored_Updater.mp4">PoC_LogMX_Backdoored_Updater.mp4</a>
</p>